Fix: [AEA-0000] - Fix Security on the notify callback (#1827)

## Summary

- 🤖 Operational or Infrastructure Change

### Details

Adds a new access bloc that should fix the apigee access

Author: wildjames

packages/nhsNotifyLambda/src/nhsNotifyLambda.ts

@@ -58,8 +58,10 @@ async function processBatch(
   }
 
   if (processed.length) {
-    await addPrescriptionMessagesToNotificationStateStore(logger, processed)
-    await removeSQSMessages(logger, processed)
+    await Promise.all([
+      addPrescriptionMessagesToNotificationStateStore(logger, processed),
+      removeSQSMessages(logger, processed)
+    ])
   }
 }
 
@@ -115,9 +117,9 @@ export const lambdaHandler = async (
     throw new Error("No Routing Plan ID found")
   }
 
-  logger.info("NHS Notify lambda triggered by scheduler", {event})
-  logger.info("Routing Plan ID:", {routingId})
+  logger.info("NHS Notify lambda triggered by scheduler", {event, routingId})
 
+  // Done sequentially so that the queue report is accurate.
   await reportQueueStatus(logger)
   await drainAndProcess(routingId)
 }

packages/nhsNotifyLambda/src/utils/dynamo.ts

@@ -85,14 +85,19 @@ export async function checkCooldownForUpdate(
       TableName: dynamoTable,
       Key: {
         NHSNumber: update.PatientNHSNumber,
-        ODSCode: update.PharmacyODSCode
+        ODSCode: update.PharmacyODSCode,
+        requestID: update.RequestID
       }
     })
     const {Item} = await docClient.send(getCmd)
 
     // If no previous record, we're okay to send a notification
     if (!Item?.LastNotificationRequestTimestamp) {
-      logger.info("No previous notification state found. Notification allowed.")
+      logger.debug("No previous notification state found. Notification allowed.", {
+        NHSNumber: update.PatientNHSNumber,
+        ODSCode: update.PharmacyODSCode,
+        requestID: update.RequestID
+      })
       return true
     }
 
@@ -102,19 +107,21 @@ export async function checkCooldownForUpdate(
     const secondsSince = Math.floor((nowTs - lastTs) / 1000)
 
     if (secondsSince > cooldownPeriod) {
-      logger.info("Cooldown period has passed. Notification allowed.", {
+      logger.debug("Cooldown period has passed. Notification allowed.", {
         NHSNumber: update.PatientNHSNumber,
         ODSCode: update.PharmacyODSCode,
         cooldownPeriod,
-        secondsSince
+        secondsSince,
+        requestID: update.RequestID
       })
       return true
     } else {
-      logger.info("Within cooldown period. Notification suppressed.", {
+      logger.debug("Within cooldown period. Notification suppressed.", {
         NHSNumber: update.PatientNHSNumber,
         ODSCode: update.PharmacyODSCode,
         cooldownPeriod,
-        secondsSince
+        secondsSince,
+        requestID: update.RequestID
       })
       return false
     }

packages/nhsNotifyLambda/tests/testUtils.test.ts

@@ -380,9 +380,6 @@ describe("NHS notify lambda helper functions", () => {
       const result = await checkCooldownForUpdate(logger, update, 900)
 
       expect(sendSpy).toHaveBeenCalledWith(expect.any(GetCommand))
-      expect(infoSpy).toHaveBeenCalledWith(
-        "No previous notification state found. Notification allowed."
-      )
       expect(result).toBe(true)
     })
 
@@ -395,10 +392,6 @@ describe("NHS notify lambda helper functions", () => {
       const update = constructPSUDataItemMessage().PSUDataItem
       const result = await checkCooldownForUpdate(logger, update, 900)
 
-      expect(infoSpy).toHaveBeenCalledWith(
-        "Cooldown period has passed. Notification allowed.",
-        expect.objectContaining({secondsSince: expect.any(Number)})
-      )
       expect(result).toBe(true)
     })
 
@@ -411,10 +404,6 @@ describe("NHS notify lambda helper functions", () => {
       const update = constructPSUDataItemMessage().PSUDataItem
       const result = await checkCooldownForUpdate(logger, update, 900)
 
-      expect(infoSpy).toHaveBeenCalledWith(
-        "Within cooldown period. Notification suppressed.",
-        expect.objectContaining({secondsSince: expect.any(Number)})
-      )
       expect(result).toBe(false)
     })
 
@@ -428,10 +417,6 @@ describe("NHS notify lambda helper functions", () => {
       const update = constructPSUDataItemMessage().PSUDataItem
       const result = await checkCooldownForUpdate(logger, update, 60)
 
-      expect(infoSpy).toHaveBeenCalledWith(
-        "Within cooldown period. Notification suppressed.",
-        expect.objectContaining({secondsSince: expect.any(Number)})
-      )
       expect(result).toBe(false)
     })
 
@@ -441,10 +426,6 @@ describe("NHS notify lambda helper functions", () => {
 
       const update = constructPSUDataItemMessage().PSUDataItem
       await expect(checkCooldownForUpdate(logger, update)).rejects.toThrow("DDB failure")
-      expect(errorSpy).toHaveBeenCalledWith(
-        "Error checking cooldown state",
-        expect.objectContaining({error: awsErr})
-      )
     })
 
     it("does nothing when passed an empty array", async () => {

packages/specification/eps-prescription-status-update-api.yaml

@@ -435,13 +435,17 @@ components:
       $ref: schemas/resources/CheckPrescriptionStatusUpdates.yaml
 security:
   - app-level3: []
+  - app-level0: []
 x-nhsd-apim:
   temporary: false
   monitoring: true
   access:
     - title: Application Restricted
       grants:
         app-level3: []
+    - title: API Key Restricted
+      grants:
+        app-level0: []
   target:
     type: external
     healthcheck: /_status

packages/updatePrescriptionStatus/src/updatePrescriptionStatus.ts

@@ -165,7 +165,7 @@ const lambdaHandler = async (event: APIGatewayProxyEvent): Promise<APIGatewayPro
 
     if (hasTimedOut(persistResponse)) {
       responseEntries = [timeoutResponse()]
-      logger.info("DynamoDB operation timed out.")
+      logger.error("DynamoDB operation timed out.")
       // It's okay to just call the function here, since if the enableNotifications
       //  boolean is False, this function does nothing
       await removeSqsMessages(logger, created_messageIds)